From: Yue Tao <[email protected]> The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Supplemental enhancement information (SEI) data, which triggers an infinite loop.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946 Signed-off-by: Yue Tao <[email protected]> Signed-off-by: Roy Li <[email protected]> --- .../0001-h264_sei-Fix-infinite-loop.patch | 39 ++++++++++++++++++++ .../gstreamer/gst-ffmpeg_0.10.13.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch new file mode 100644 index 0000000..954ea5b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch @@ -0,0 +1,39 @@ +gst-ffmpeg: h264_sei: Fix infinite loop. + +Fixsot yet fixed parts of CVE-2011-3946. + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer <[email protected]> + +Upstream-Status: Pending + +Signed-off-by: Yue Tao <[email protected]> + +--- + libavcodec/h264_sei.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + + +diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c +index 374e53d..80d70e5 100644 +--- a/gst-libs/ext/libav/libavcodec/h264_sei.c ++++ b/gst-libs/ext/libav/libavcodec/h264_sei.c +@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){ + + type=0; + do{ ++ if (get_bits_left(&s->gb) < 8) ++ return -1; + type+= show_bits(&s->gb, 8); + }while(get_bits(&s->gb, 8) == 255); + + size=0; + do{ ++ if (get_bits_left(&s->gb) < 8) ++ return -1; + size+= show_bits(&s->gb, 8); + }while(get_bits(&s->gb, 8) == 255); + +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index c014fc2..ad4dd34 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb @@ -41,6 +41,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \ file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \ file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \ + file://0001-h264_sei-Fix-infinite-loop.patch \ " SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" -- 1.7.10.4 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
